Argus conversion v2 to v3?

Carter Bullard carter at qosient.com
Tue Jun 25 10:58:50 EDT 2013 

Hey Frigidaire Americain,
ra() should just read the file and convert the records automatically.

  $ ./3.0.6/bin/ra -r argus.log

So, need to see the file to debug.  Can you share the file?  If you
don't want to email it, you can ftp it up to the blind repository
ftp://qosient.com/incoming.  Any file that shows the same behavior
would be great...

You have a problem with your call to ra() when trying to use raconvert().
The start time field is "stime".   You should provide enough fields
so raconvert() can generate the start and stop times properly, and generate
the basic metrics. Be sure and add the "ltime" or "dur", and also provide
spkts, dpkts, sbytes and dbytes fields, so that we have all the basic
bi-directional flow metrics.  We don't have a pkts or bytes field in
argus records, we have src and dst packets and bytes.

Also, the argus.ascii output needs to be comma separated.


  $ ./2.0.6/bin/ra -c, -unns stime dur flgs proto saddr sport dir daddr dport \
     state spkts dpkts sbytes dbytes status -r argus.log > argus.ascii

  $ ./3.0.6/bin/raconvert -r argus.ascii

Is that better?

Carter



On Jun 25, 2013, at 3:41 AM, unFrigidaire Américain <frigidaire.americain at gmail.com> wrote:

> Hello,
> 
> I must be missing something but although I read the FAQ, wiki and manuals, I
> can't find the recommended way to convert logs from Argus v2.0.6 (Debian
> stable package) to v3.x?
> 
> $ ./2.0.6/bin/ra -nr argus.log | wc -l
> 376209
> $ ./3.0.6/bin/ra -nr argus.log
> $ echo $?
> 1
> $ ./2.0.6/bin/ra -unns startime flgs proto saddr sport dir daddr dport \
>                        state pkts bytes status  -r argus.log > argus.ascii
> $ ./3.0.6/bin/raconvert -r argus.ascii
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir
> DstAddr  Dport  TotPkts   TotBytes State
>    00:27:12.000000
>    02:19:19.000048
>    02:19:19.000048
>    02:19:19.000048
>    02:19:19.000048
>    02:19:19.000048
>    02:19:19.000048
>    02:19:19.000048
>    02:19:19.000048
> 
> Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130625/f7e8b5d8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130625/f7e8b5d8/attachment.bin>

More information about the argus mailing list